February 2, 2018

This is the ‘First Firefox Add-on’ Caught Injecting Monero Miner

Attention Firefox users! If you think you are safe from extensions that mine cryptocurrencies secretively using computer resources, then you are mistaken.


Until recently we have seen hackers trying to implement various crypto jacking methods to mine digital coins. We can not forget the popular Chrome extension Archive Poster with almost 105,062 users, caught mining Monero using Coinhive.

Most of the cases were limited to Google Chrome until recently when Lawrence Abrams of Bleeping computer found a Firefox add-on called Image Previewer injecting Monero in-browser miner into the browser.

Image Previewer is an add-on that gets installed on the browser when malicious websites that pretend to deliver a manual Firefox update pushes “repeated Javascript alerts and user authentication prompts”, making the users install the update i.e  the add-on directly from the site.


After the add-on is installed, it injects an “iframe to a Javascript file that monetizes sites that you visit using popups, link click hijacking, and ad injection”.

According to the findings, the add-on will later open a set-up script for the in-browser Monero miner. To mine Monero, major script xmr.main.min.js is executed which contains base64 encoded WebAssembly program. The mining process can exploit 50% of the users CPU processing power eventually decreasing the lifespan of the hardware.

As this is an in-browser miner, it won’t consume the hardware resources when you exit the browser, unlike the one we have seen in Archive Poster extension. However, the users can end the hardware exploitation by removing the Image Previewer extension from the Firefox menu.

And it is always suggested to install the extensions from official Mozilla Add-on repository itself to avoid unnecessary risks.


About the author 


{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}